Skip to content

Commit 51bb80b

Browse files
authored
security: sanitize key_value field content (#2357)
1 parent adc874f commit 51bb80b

File tree

3 files changed

+8
-1
lines changed

3 files changed

+8
-1
lines changed

Diff for: app/javascript/js/controllers/fields/key_value_controller.js

+2-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
/* eslint-disable max-len */
2+
import * as DOMPurify from 'dompurify'
23
import { Controller } from '@hotwired/stimulus'
34
import { castBoolean } from '../../helpers/cast_boolean'
45

@@ -80,7 +81,7 @@ export default class extends Controller {
8081
let index = 0
8182
this.fieldValue.forEach((row) => {
8283
const [key, value] = row
83-
result += this.interpolatedRow(key, value, index)
84+
result += this.interpolatedRow(DOMPurify.sanitize(key), DOMPurify.sanitize(value), index)
8485
index++
8586
})
8687
this.rowsTarget.innerHTML = result

Diff for: package.json

+1
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@
3434
"codemirror": "5.59.1",
3535
"core-js": "^3.35.0",
3636
"css-loader": "^6.9.0",
37+
"dompurify": "^3.0.8",
3738
"easymde": "^2.18.0",
3839
"el-transition": "^0.0.7",
3940
"esbuild": "^0.14.54",

Diff for: yarn.lock

+5
Original file line numberDiff line numberDiff line change
@@ -2090,6 +2090,11 @@ doctrine@^3.0.0:
20902090
dependencies:
20912091
esutils "^2.0.2"
20922092

2093+
dompurify@^3.0.8:
2094+
version "3.0.8"
2095+
resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.0.8.tgz#e0021ab1b09184bc8af7e35c7dd9063f43a8a437"
2096+
integrity sha512-b7uwreMYL2eZhrSCRC4ahLTeZcPZxSmYfmcQGXGkXiZSNW1X85v+SDM5KsWcpivIiUBH47Ji7NtyUdpLeF5JZQ==
2097+
20932098
easymde@^2.18.0:
20942099
version "2.18.0"
20952100
resolved "https://registry.yarnpkg.com/easymde/-/easymde-2.18.0.tgz#ff1397d07329b1a7b9187d2d0c20766fa16b3b1b"

0 commit comments

Comments
 (0)